From 1dd638513ab410c844455006c7ae4d5574d57b46 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 25 Sep 2006 22:32:45 +0000 Subject: [PATCH] Add a qualification to FAQ 30 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4586 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/Actions.xml | 8 ++++++-- docs/Documentation.xml | 34 +++++++++++++++++++++++++++++++--- docs/FAQ.xml | 8 +++++--- 3 files changed, 42 insertions(+), 8 deletions(-) diff --git a/docs/Actions.xml b/docs/Actions.xml index 17b3f8f11..06f3ec281 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -74,8 +74,8 @@ class="directory">/usr/share/shorewall. Each action.* file has a comment at the beginning of the file that describes what the action does. As an example, here is - the definition of the AllowSMB standard - action. + the definition of the AllowSMB standard action + from Shorewall version 2.2. # # Shorewall 2.2 /usr/share/shorewall/action.AllowSMB @@ -96,6 +96,10 @@ ACCEPT - - tcp 135,139,445 the definition in /usr/share/shorewall. Rather, copy the file to /etc/shorewall (or somewhere else on your CONFIG_PATH) and modify the copy. + + Standard Actions have been largely replaced by macros in Shorewall 3.0 and later major + versions. diff --git a/docs/Documentation.xml b/docs/Documentation.xml index bb0d04956..949206f22 100644 --- a/docs/Documentation.xml +++ b/docs/Documentation.xml @@ -3699,6 +3699,35 @@ LOGBURST=5
/etc/shorewall/tos Configuration + + This Shorewall feature is somewhat broken -- while it shouldn't + hurt anything to use it, it may not do what you want either. + + In versions of Shorewall prior to 3.2.4, it is only safe to + specify "all" in the SOURCE and DEST columns. In 3.2.4 and later + versions: + + + + It continues to work fine if you specify "all" in both the + SOURCE and DEST columns. + + + + It mostly works when you specify zone names in either column + (provided that you have Mangle table FORWARD chain support in your + kernel) but it doesn't work with dynamic zones and it doesn't work + with IPSEC zones. + + + + If you specify a zone name together with an address in the + SOURCE or DEST column, the generated rule ignores the zone name and + simply matches on the source or destination address. + + + + The /etc/shorewall/tos file allows you to set the Type of Service field in packet headers based on packet source, packet destination, protocol, source port and destination port. In order for this @@ -3728,9 +3757,8 @@ LOGBURST=5 The destination zone. May be qualified by following the zone name with a colon (:) and either an IP address or an - IP subnet. Because packets are marked prior to routing, you may not - specify the name of an interface. This column may also contain - all to indicate any destination. + IP subnet. This column may also contain all to + indicate any destination. diff --git a/docs/FAQ.xml b/docs/FAQ.xml index d8edee32f..ac4db1ec0 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -342,9 +342,11 @@ DNAT net fw:192.168.1.1:22 tcp 4104 to go the opposite direction from SNAT/MASQUERADE. So if you masquerade or use SNAT from your local network to the internet then you will need to use DNAT rules to allow connections from the internet to your local - network. In all other cases, you use ACCEPT unless you need to hijack - connections as they go through your firewall and handle them on the - firewall box itself; in that case, you use a REDIRECT rule. + network. You also want to use DNAT rules when you intentionally want to + rewrite the destination IP address or port number. In all other cases, + you use ACCEPT unless you need to hijack connections as they go through + your firewall and handle them on the firewall box itself; in that case, + you use a REDIRECT rule.